The need for organizations to design and adhere to strong security policies in order to maintain the integrity of their systems is well understood. As long as all you have to worry about is your own internal infrastructure, creating the right policies and sticking to them is a great way to help reduce risk on your network. But there are some circumstances where it is necessary to outsource a mission-critical piece of infrastructure to a third party. Some services are simply not cost-effective to build and manage in-house to get the required level of performance and security. Other services can only be procured from a third party vendor. Herein lies the soft underbelly of security for many organizations.
Web Hosting Providers are the most obvious example of such a service. Every company needs hosting, but few have the resources, the expertise and the desire to build and manage their own world-class data centers, redundant peering connections, and network and server infrastructure.
Thankfully, Web hosting is also one of the areas with the most security awareness among buyers. Most organizations would not consider signing up with a hosting company that did not offer a service-level agreement compatible with their own security goals – the Web server is an obvious target for malicious hackers. Nowadays, as criminals seek out vulnerable hosts to infect with drive-by downloads, for example, companies run the risk of not only infecting their customers with malware but also being black-listed by client security software and even search engines if their Web servers become compromised through no fault of their own. Even a quickly resolved security incident can have serious repercussions on user accessibility and search engine rankings.
You should be clear what security measures your hosting providers have chosen to implement, how these measures shape up compared to your own security policies, and what the potential points of failure are. For example, your host’s data center may well have biometric locks on its doors, but if their Web-based control panel uses single-factor authentication – just an e-mail address and password – before granting control over your entire site, you should ask yourself whether enough is being done to keep the bad guys out. Hacking your hosting company is the same as hacking your organization, in these cases.
Domain name registrars are the second set of providers whose security practices can affect you significantly. These companies are the interface between your organization and the rest of the domain name system. Their critical function is to provision you with your choice of domain name, and to enable you to point your domain to your name servers of choice, whether these belong to the registrar, your own organization, or a third-party DNS resolution provider.
For this reason, the credentials for your registrar account really are the keys to the kingdom. If an attacker can access your registrar account, he can configure the name server settings to point your domain to the server of his choice. As soon as the updates propagate throughout the Internet, the attacker can intercept all e-mail and Web traffic destined for your domain. Your customers arrive at his website, your emails arrive in his in-box. Worse, the hacker now has access to every domain name you own with this registrar – and if you are like many organizations, you have consolidated your domain names with one registrar, making the job of stealing all your online property very easy.
Worse still, if the domain is not locked, the attacker could transfer it to an account he controls at a different registrar. Recovering ownership of your domain when it is still managed by your original registrar is challenging enough, but the job becomes exponentially harder when the domain has been transferred to another registrar, perhaps located in a different time zone, in a country on the other side of the world and transacting business in a language that you do not speak.
Attackers usually resort to phishing or social engineering in order to discover the password for their victim’s account – they can target the registrar’s technical support or the registrant herself, to try to persuade them to hand over useful information. While there’s nothing baked into the DNS that can prevent this, a small number of registrars do offer premium-priced services that can mitigate the risk of such hijacking, by requiring additional validation before important changes are made. Choosing the right domain name registrar could spell the difference between peace of mind for your online presence and severe reputational and business loss.
DNS Resolution Providers are the third potential weak link in the chain, if only because a major class of attacks – cache poisoning – is designed specifically to exploit vulnerabilities in that function of the domain name system. These attacks attempt to inject false addressing information into name servers in order to redirect web traffic and email to the attacker’s server. In general, cache poisoning targets recursive, rather than authoritative, name servers. But an insecure authoritative name server set-up could have recursion enabled, opening up the domain to exploits such as the so-called Kaminsky Bug.
Since DNS Providers also use a control panel with a login mechanism, they too are vulnerable to the same user authentication and access control issues as Web hosts and domain name registrars. Any system that, once compromised, could bring down a company’s entire Internet presence requires stronger security than simple username and password logins. A stronger security policy would describe a system where the process is protected by multi-factor authentication, access is restricted to authorized IP addresses and administrators are sent security alerts using side channels such as text messages or phone calls whenever important changes are made.
But it’s an imperfect world, and buyers today will not always be able to choose a service provider that lives up to their strong expectations when it comes to security. You can investigate SLAs and ask for greater levels of security, but they are not always available.
There are some measures that can lessen the risks and make it easier to deal with the repercussions of attacks, however. If a service provider only offers weak single-factor authentication, for example, organizations can reduce risk by employing a policy of frequently changing passwords. When it comes to dealing with incidents, security administrators also need to ensure they can quickly reach a knowledgeable person at their provider at any time of the day, on any day of the week – when you are hacked, it is likely to happen on the weekend or in the evening when normal technical support channels are not as reliable as you need them to be.
At the end of the day, security improvements at Web hosting providers, domain name registrars and DNS resolution providers will only happen if you ask for them. A large measure of your fate online rests in the hands of these three providers. This should motivate you to either ask your provider to upgrade their security measures, or to switch to a better provider.